cloud, hacking

flAWS Level 1 #aws #flAWS #flaws

Another day, another challenge.

In today’s post, we will solve the first challenge of the flAWS CTF.

flAWS CTF explores misconfigurations, and gotchas in AWS.

Let’s get started.

NOTE: I will be using the AWS command line. Which you can download HERE.

Going to the URL, http://flaws.cloud/, we’re presented with:

flAWS_landing_page

Scrolling down we see:

flAWS_level1

From the little bit of information we have this level contains buckets, and we possibly need to view the contents.

In AWS, there is a service called S3 or Simple Storage Service which is used for storing items for the Internet. To store an item you will need to create a bucket (see how everything is starting to come together…). Once the bucket is created, you can add your items to it.

Opening a command prompt we can type the following command

aws s3 ls <s3 domain>

Let’s break down this command.

  1. We’re using the AWS command line (by typing aws)
  2. We’re specifying we want to access the s3 service
  3. We want to list the contents of said bucket (ls = listing)
  4. We’re specify the s3 domain we want to access

In this case we will type aws s3 ls s3://flaws.cloud

Below is the output:

flaws_level1_listing_directory

Hmm… there’s a secret-dd02c7c.html file. Let’s see if we can access it.

Opening a web browser (I’m using Chrome) and entering the following URL: http://flaws.cloud/secret-dd02c7c.html,&nbsp;you should see:

flAWS_level1_solved

Yay! We have solved the challenge, along with getting the URL for level 2.

Look out for another blog post where we solve that challenge.

Takeaway from the challenge –

For this level the bucket was public which means it’s accessible for EVERYONE. If there’s sensitive information that the world should not see, AWS allows for buckets to be private.